mirror of
https://github.com/topjohnwu/selinux.git
synced 2025-01-27 22:32:24 +00:00
1beb818f10
Commit 99fc177b "Add neverallow support for ioctl extended permissions" first checks to see if the ioctl permission is granted, then checks to see if the same source/target violates a neverallowed ioctl command. Unfortunately this does not address the case where the ioctl permission and extended permissions are granted on different attributes. Example, the following will incorrectly cause a neverallow violation. allow untrusted_app self:tcp_socket ioctl; allowxperm domain domain:tcp_socket unpriv_sock_ioctls; neverallowxperm untrusted_app domain:tcp_socket ~unpriv_sock_ioctls; The fix is to enumerate over the source and target attributes when looking for extended permission violations. Note: The bug this addresses incorrectly asserts that a violation has occurred. Actual neverallow violations are always caught. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Tested-by: William Roberts <william.c.roberts@intel.com>